setup.sh: add OBMP_AUTH_MODE for local vs authelia bootstrap

The bootstrap previously hard-required OBMP_DOMAIN and OBMP_COOKIE_DOMAIN even when a user just wanted a local lab deployment with Grafana's built-in login -- those vars only feed Authelia's session-cookie domain and the public URL it lives behind. On a fresh host with no FQDN this made ./setup.sh impossible to pass without inventing dummy values. New OBMP_AUTH_MODE=local|authelia in .env (default local) gates the FQDN validation, Authelia secret generation, Authelia config rendering, and the auth-profile image pull/build. setup.sh also writes GF_SERVER_ROOT_URL into .env -- http://HOST_IP:3000/grafana/ for local, https://OBMP_DOMAIN/grafana/ for authelia -- and docker-compose.yml now reads ${GF_SERVER_ROOT_URL} instead of hardcoding the apodacalab.com fallback. Back-compat: an existing .env with no OBMP_AUTH_MODE but a real OBMP_DOMAIN or an existing AUTHELIA_SESSION_SECRET is inferred as 'authelia' and the mode is persisted -- a re-run on a live Authelia host won't silently flip it to local and break the next docker compose up. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 13:35:22 -07:00 · 2026-05-24 13:35:22 -07:00 · 4bcf368af0
commit 4bcf368af0
parent ef932fe1e8
3 changed files with 136 additions and 41 deletions
--- a/.env.example
+++ b/.env.example
@ -12,12 +12,26 @@ OBMP_DATA_ROOT=/var/openbmp
 # (Kafka external listener, BMP source, ExaBGP peering).
 HOST_IP=changeme

+# Auth mode:
+#   local    — Grafana built-in login (admin / openbmp). Lab default.
+#              OBMP_DOMAIN / OBMP_COOKIE_DOMAIN below can stay blank.
+#   authelia — Authelia in front (docker compose --profile auth).
+#              OBMP_DOMAIN and OBMP_COOKIE_DOMAIN must be set, and a
+#              reverse proxy must terminate TLS at OBMP_DOMAIN.
+OBMP_AUTH_MODE=local
+
 # Public domain fronting Grafana / Authelia / portal (TLS terminates upstream).
-OBMP_DOMAIN=changeme.example.com
+# Only required when OBMP_AUTH_MODE=authelia.
+OBMP_DOMAIN=

 # Authelia session-cookie domain — the parent domain of OBMP_DOMAIN so the
-# cookie is valid across subpaths/subdomains.
-OBMP_COOKIE_DOMAIN=example.com
+# cookie is valid across subpaths/subdomains. Only required when
+# OBMP_AUTH_MODE=authelia.
+OBMP_COOKIE_DOMAIN=
+
+# Grafana self-generated URL (alerts, share links). setup.sh writes this
+# automatically based on OBMP_AUTH_MODE — leave blank, it will be filled in.
+GF_SERVER_ROOT_URL=

 # Container memory limits. Lab defaults shown; raise for production
 # (see docs/production-sizing.md). psql-app's limit must exceed its MEM heap.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -115,7 +115,11 @@ services:
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=openbmp
      - GF_AUTH_ANONYMOUS_ENABLED=false
-      - GF_SERVER_ROOT_URL=https://${OBMP_DOMAIN:-bmp.apodacalab.com}/grafana/
+      # setup.sh writes GF_SERVER_ROOT_URL into .env based on OBMP_AUTH_MODE
+      # (http://HOST_IP:3000/grafana/ for local, https://OBMP_DOMAIN/grafana/
+      # for authelia). The fallback only matters if compose is run before
+      # setup.sh — keeps Grafana up at a sane URL.
+      - GF_SERVER_ROOT_URL=${GF_SERVER_ROOT_URL:-http://localhost:3000/grafana/}
      - GF_SERVER_SERVE_FROM_SUB_PATH=true
      - GF_AUTH_PROXY_ENABLED=true
      - GF_AUTH_PROXY_HEADER_NAME=Remote-User
--- a/setup.sh
+++ b/setup.sh
@ -4,10 +4,14 @@
 # deployment: every step is guarded and never overwrites live config.
 #
 #   cp .env.example .env   # first run only
-#   $EDITOR .env           # fill in HOST_IP, OBMP_DOMAIN, ...
-#   ./setup.sh
+#   $EDITOR .env           # at minimum fill in HOST_IP
+#   ./setup.sh             # local-auth mode by default
 #   docker compose up -d                  # collector core
-#   docker compose --profile test --profile auth up -d  # full stack
+#   docker compose --profile test up -d   # + lab feeders (ExaBGP, gobgp, ...)
+#
+# For Authelia mode, set OBMP_AUTH_MODE=authelia plus OBMP_DOMAIN and
+# OBMP_COOKIE_DOMAIN in .env before running setup.sh, then bring up with
+#   docker compose --profile test --profile auth up -d
 #
 set -euo pipefail
 cd "$(dirname "$0")"
@ -18,7 +22,8 @@ AUTHELIA_IMAGE="authelia/authelia:4.38"
 if [ ! -f .env ]; then
    cp .env.example .env
    echo "Created .env from .env.example."
-    echo "Edit it (HOST_IP, OBMP_DOMAIN, OBMP_COOKIE_DOMAIN, credentials), then re-run ./setup.sh"
+    echo "Edit it (set HOST_IP at minimum; OBMP_DOMAIN/OBMP_COOKIE_DOMAIN only"
+    echo "if OBMP_AUTH_MODE=authelia), then re-run ./setup.sh"
    exit 1
 fi

@ -42,10 +47,40 @@ OBMP_DATA_ROOT="${OBMP_DATA_ROOT:-/var/openbmp}"
 OBMP_DOMAIN="$(get_env OBMP_DOMAIN)"
 OBMP_COOKIE_DOMAIN="$(get_env OBMP_COOKIE_DOMAIN)"
 HOST_IP="$(get_env HOST_IP)"
+OBMP_AUTH_MODE="$(get_env OBMP_AUTH_MODE)"
+if [ -z "$OBMP_AUTH_MODE" ]; then
+    # Back-compat: existing deployments predate OBMP_AUTH_MODE. If Authelia was
+    # ever initialized (session secret present) or a real OBMP_DOMAIN is set,
+    # this is an Authelia host — default to that mode rather than flipping it
+    # to local and breaking the next `docker compose up`. Fresh .env from
+    # .env.example explicitly sets OBMP_AUTH_MODE=local, so this branch only
+    # triggers for pre-existing installs.
+    if [ -n "$(get_env AUTHELIA_SESSION_SECRET)" ] || \
+       { [ -n "$OBMP_DOMAIN" ] && [[ "$OBMP_DOMAIN" != changeme* ]]; }; then
+        OBMP_AUTH_MODE="authelia"
+        echo "OBMP_AUTH_MODE not set; inferred 'authelia' from existing .env"
+    else
+        OBMP_AUTH_MODE="local"
+        echo "OBMP_AUTH_MODE not set; defaulting to 'local'"
+    fi
+    set_env OBMP_AUTH_MODE "$OBMP_AUTH_MODE"
+fi

 # --- validate ---------------------------------------------------------------
+# HOST_IP is always required. OBMP_DOMAIN / OBMP_COOKIE_DOMAIN are only
+# required when OBMP_AUTH_MODE=authelia (Authelia needs a real cookie domain
+# and the public URL it lives behind).
 fail=0
-for var in HOST_IP OBMP_DOMAIN OBMP_COOKIE_DOMAIN; do
+required=(HOST_IP)
+case "$OBMP_AUTH_MODE" in
+    local)    ;;
+    authelia) required+=(OBMP_DOMAIN OBMP_COOKIE_DOMAIN) ;;
+    *)
+        echo "ERROR: OBMP_AUTH_MODE='$OBMP_AUTH_MODE' (must be 'local' or 'authelia')" >&2
+        exit 1
+        ;;
+esac
+for var in "${required[@]}"; do
    val="$(get_env "$var")"
    if [ -z "$val" ] || [[ "$val" == changeme* ]]; then
        echo "ERROR: $var is unset or still 'changeme' in .env" >&2
@ -53,6 +88,7 @@ for var in HOST_IP OBMP_DOMAIN OBMP_COOKIE_DOMAIN; do
    fi
 done
 [ "$fail" -eq 0 ] || { echo "Fix .env and re-run." >&2; exit 1; }
+echo "Auth mode: $OBMP_AUTH_MODE"

 # --- privilege helper -------------------------------------------------------
 # $OBMP_DATA_ROOT is often root-owned (e.g. /var/openbmp). Use sudo only if the
@ -77,38 +113,56 @@ $SUDO chmod -R 777 "$OBMP_DATA_ROOT" 2>/dev/null || true
 echo "Syncing Grafana provisioning ..."
 $SUDO cp -r obmp-grafana/provisioning/. "$OBMP_DATA_ROOT/grafana/provisioning/"

-# --- Authelia secrets -------------------------------------------------------
-# Generate only if blank/absent; never overwrite an existing value.
-for key in AUTHELIA_SESSION_SECRET AUTHELIA_JWT_SECRET AUTHELIA_STORAGE_ENCRYPTION_KEY; do
+# --- Grafana root URL -------------------------------------------------------
+# In local mode Grafana is hit directly on :3000; in authelia mode the public
+# URL is https://OBMP_DOMAIN/grafana/. setup.sh writes the right value into
+# .env so docker-compose just references ${GF_SERVER_ROOT_URL}.
+case "$OBMP_AUTH_MODE" in
+    local)    desired_root_url="http://${HOST_IP}:3000/grafana/" ;;
+    authelia) desired_root_url="https://${OBMP_DOMAIN}/grafana/" ;;
+esac
+current_root_url="$(get_env GF_SERVER_ROOT_URL)"
+if [ "$current_root_url" != "$desired_root_url" ]; then
+    set_env GF_SERVER_ROOT_URL "$desired_root_url"
+    echo "Set GF_SERVER_ROOT_URL=$desired_root_url"
+fi
+
+# --- Authelia setup (authelia mode only) ------------------------------------
+if [ "$OBMP_AUTH_MODE" = "authelia" ]; then
+    # Generate secrets only if blank/absent; never overwrite an existing value.
+    for key in AUTHELIA_SESSION_SECRET AUTHELIA_JWT_SECRET AUTHELIA_STORAGE_ENCRYPTION_KEY; do
        cur="$(get_env "$key")"
        if [ -z "$cur" ]; then
            set_env "$key" "$(openssl rand -hex 32)"
            echo "Generated $key"
        fi
-done
-AUTHELIA_SESSION_SECRET="$(get_env AUTHELIA_SESSION_SECRET)"
-AUTHELIA_JWT_SECRET="$(get_env AUTHELIA_JWT_SECRET)"
-AUTHELIA_STORAGE_ENCRYPTION_KEY="$(get_env AUTHELIA_STORAGE_ENCRYPTION_KEY)"
+    done
+    AUTHELIA_SESSION_SECRET="$(get_env AUTHELIA_SESSION_SECRET)"
+    AUTHELIA_JWT_SECRET="$(get_env AUTHELIA_JWT_SECRET)"
+    AUTHELIA_STORAGE_ENCRYPTION_KEY="$(get_env AUTHELIA_STORAGE_ENCRYPTION_KEY)"

-# --- Authelia config (fresh-deploy only — never clobber a live config) ------
-export AUTHELIA_SESSION_SECRET AUTHELIA_JWT_SECRET AUTHELIA_STORAGE_ENCRYPTION_KEY \
+    # Config files: fresh-deploy only — never clobber a live config.
+    export AUTHELIA_SESSION_SECRET AUTHELIA_JWT_SECRET AUTHELIA_STORAGE_ENCRYPTION_KEY \
           OBMP_DOMAIN OBMP_COOKIE_DOMAIN
-SUBST='${AUTHELIA_SESSION_SECRET} ${AUTHELIA_JWT_SECRET} ${AUTHELIA_STORAGE_ENCRYPTION_KEY} ${OBMP_DOMAIN} ${OBMP_COOKIE_DOMAIN}'
+    SUBST='${AUTHELIA_SESSION_SECRET} ${AUTHELIA_JWT_SECRET} ${AUTHELIA_STORAGE_ENCRYPTION_KEY} ${OBMP_DOMAIN} ${OBMP_COOKIE_DOMAIN}'

-if [ ! -f "$OBMP_DATA_ROOT/authelia/configuration.yml" ]; then
+    if [ ! -f "$OBMP_DATA_ROOT/authelia/configuration.yml" ]; then
        envsubst "$SUBST" < authelia/configuration.yml.template \
            | $SUDO tee "$OBMP_DATA_ROOT/authelia/configuration.yml" > /dev/null
        echo "Rendered authelia/configuration.yml"
-else
+    else
        echo "authelia/configuration.yml exists — left untouched"
-fi
+    fi

-if [ ! -f "$OBMP_DATA_ROOT/authelia/users_database.yml" ]; then
+    if [ ! -f "$OBMP_DATA_ROOT/authelia/users_database.yml" ]; then
        $SUDO cp authelia/users_database.yml.template \
            "$OBMP_DATA_ROOT/authelia/users_database.yml"
        echo "Rendered authelia/users_database.yml (demo user: openbmp)"
-else
+    else
        echo "authelia/users_database.yml exists — left untouched"
+    fi
+else
+    echo "Skipping Authelia setup (OBMP_AUTH_MODE=$OBMP_AUTH_MODE)"
 fi

 # --- gobgpd.conf rendering (host-side -- gobgp image is distroless) ---------
@ -122,16 +176,39 @@ for d in gobgp gobgp-evpn; do
 done

 # --- images -----------------------------------------------------------------
+# Always pull / build the `test` profile (ExaBGP, traffic-gen, gobgp -- the
+# lab feeder bits). Pull `auth` images only when that mode is selected so a
+# local-mode bootstrap on a fresh host doesn't drag in Authelia + portal.
 echo "Pulling and building images ..."
-docker compose pull --quiet
-docker compose --profile test --profile auth build
+if [ "$OBMP_AUTH_MODE" = "authelia" ]; then
+    docker compose --profile test --profile auth pull --quiet
+    docker compose --profile test --profile auth build
+else
+    docker compose --profile test pull --quiet
+    docker compose --profile test build
+fi

 # --- done -------------------------------------------------------------------
 cat <<EOF

 Setup complete.

+EOF
+if [ "$OBMP_AUTH_MODE" = "authelia" ]; then
+    cat <<EOF
  docker compose up -d                                 # BMP collector core
  docker compose --profile test --profile auth up -d   # full stack (lab + auth)

+  Grafana: https://${OBMP_DOMAIN}/grafana/  (behind Authelia)
 EOF
+else
+    cat <<EOF
+  docker compose up -d                   # BMP collector core
+  docker compose --profile test up -d    # collector + lab feeders (ExaBGP, gobgp, traffic-gen)
+
+  Grafana: http://${HOST_IP}:3000/grafana/   (login: admin / openbmp)
+
+  To switch on Authelia later: set OBMP_AUTH_MODE=authelia + OBMP_DOMAIN +
+  OBMP_COOKIE_DOMAIN in .env, re-run ./setup.sh, then add --profile auth.
+EOF
+fi